Hi all,
I'm playing around with Fedora3, trying to make apache + php + mysql play well together, but it seems SELinux is getting in the way. I keep getting: "#2002 - Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)" when using phpMyAdmin.
My understanding of the situation is that apache is running under a diffenet security domain than mysql, specifically apache is running "user_u:system_r:httpd_t" context, while the myqsl socket has the "user_ubject_r:var_lib_t" security context.
I know SELinux can be disabled, which I did by booting with the option "enforcing=0" and the whole thing worked great. Googling around gave the following url: http://www.codecomments.com/PHP_SQL/message323526.html , which also suggests turning off SELinux, which defeats the whole Security Enhanced thing!
The article about SELinux on Red Hat Magazine, http://www.redhat.com/magazine/001no...tures/selinux/ , talks about "transition" between security domains, but doesn't specify how to actually implement it...

Any ideas?
Thanks in advance :-)

I've had the exact same problem, unfotunately I don't really have the time to spend messing around with it too much though.

I use my machine for software development and apache/mysql are crucial to my work, I've just turned SELinux off as its more trouble than its worth!

• Firstly every time I put something on the webserver you've gotta chcon it - pain in the ass!
• Sencondly I got the same error with phpMyAdmin 2002 cannot connect to socket

SELinux is a good idea but if it stops you working then that defeats the object of it entirely. I'm going to see if I can figure out a way to make it all run smoothly when I get some spare time and if I find anything I will post again.

Disable the SELinux protection on the HTTPD will fix this problem. To do so:
- Go to the Security Level, under System Settings
- Click on the SELinux tab
- Drop down the HTTPD Service entry
- Check the box that says "Disable SELinux protection for httpd daemon"

This should work.

Have fun!!

You probably only need to restore all of the mysql file security contexts...
That should do it..

Miles.

But what i must do if i don't want to disable SELinux for httpd ?

Can anybody say what i must do for turning on apache + mysql + selinux ?

for info: i have FC3 without

in messages (after start mysqld + restorecon):

<bla-bla> kernel: audit(1106899796.621:0): avc: denied { write } for pid=2358 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=292796 scontext=root:system_r:httpd_t tcontext=system_ubject_r:var_lib_t tclass=sock_file


2 Butt-Ugly:
1. after start mysql creates mysql.sock again with incorrect context
2. even i run restorecon again after mysqld's start it doesn't help

This problem was hashed out in a fairly readable way in the RedHat fedora-selinux-list forum. The initial post is now at

https://www.redhat.com/archives/fedo.../msg00013.html

You'll want to read most of the followups.

The preferred solution involves creating an selinux domain, "mysqld_t," that has permission to read and write a particular socket. Manipulating selinux sounds hairy, but the instructions are fairly straightforward. The correct solution is the first one suggested in

https://www.redhat.com/archives/fedo.../msg00015.html

NB: the line that reads:
* service mysql restart
should read:
* service mysqld restart

good luck!

Work through these two tutorials, I just did and have a working LAMP server running on FDC3 with selinux on and I got everything I needed from them.

http://www.lamphowto.com/lamp.htm
http://www.mikepalmer.net/howto/